2018-03-13 15:13 GMT-03:00 Olivier Coutu <olivier.co...@zerospam.ca>:
> In the last few months, we have seen an increase of generic emails (e.g. > regarding unpaid invoices) being sent with links to infected legitimate > websites hosting malware. This malware often comes in the form of docs with > macros e.g. https://pastebin.com/VHz41RUL > > In a lot of cases, neither the sender nor the URL are listed in any > blacklists at send time, and we are looking into ways to deal with these > links. We have developed some heuristics based on the text but this is more > reactive than proactive and the spams often are very similar to legitimate > emails. Ideally we would be able to see what is *really* behind these > links. > > The technologies we know exist are: > > a) Link following > Whether it is only for url shorteners or for all links, simulating a click > could give us info on what will happen, but has implications when the > website interprets that like a click from the user and updates their > database in some way such as unsubscribing a user. > > Our customers decides if the filter must follow all redirections or follow just shorteners redirections. If they choose all redirections, the filter will download any file to AV scan, if exists. We make it very clear what is the filter implications if it follow all redirects. Most have chosen to let the filter follow all redirects, even though they may activate unwanted functions on the links. For them, is preferable to take the risk of activating unwanted functions than to run the risk of receiving a ransomware. I believe that web designers need to get used to the idea of programming double confirmation functions because it is increasingly frequent the filters that follow all the redirects, because of all the abuse we are witnessing. Just put a confirm button at web function is enough to avoid unwanted function.